Different baseDN for LDAP authentication per entityID

[Cantor, Scott]

On 2/3/17, 9:42 AM, "users on behalf of stoneforger" <users-bounces at shibboleth.net on behalf of ext.vasileios.kalampakas at tieto.com> wrote:

> We have three different service providers authenticating against the same IdP.

You will probably be better off just changing that and putting up three IdPs, each dedicated to the right set of users and services.

Almost anything else will require not only extensive customization work, probably custom flows, and a huge risk of screwing up something and creating a security problem. For example you would have to build custom canonicalization logic to ensure that the username produced by each "source" of authentication was distinct. You have to disambiguate things for the rest of the system, you can't just leave it all operating with overlapping usernames, unless you're going to build a lot of very carefully crafted logic everywhere to base everything on the SP. And it doesn't scale in any conceptual sense, adding new SPs as peers would be a nightmare.

It's just an awful idea.

-- Scott